Education Is the Key to Secure Software

In mid-January, security professionals were confronted with the biggest online worm since 2004. Referred to as "downadup" or "conficker," the bug spread to more than 1 million computers in less than three weeks. And it is just the latest example of the chronic security challenges of our increasingly connected world.

Recently, a number of international cybersecurity organizations collaborated to create a list of the 25 most dangerous software programming errors — all of which can lead to serious cases of cybercrime. In fact, according to computer security research and training organization SANS, just two of the 25 listed errors led to more than 1.5 million online security breaches last year. Perhaps more shocking, however, is the fact that computer science students are not taught how to avoid these errors and many programmers do not understand them.

“It’s such common knowledge that we continue to have vulnerabilities, some of them daily,” said Hord Tipton, executive director at (ISC)2. “At this point, we continue to have to patch our servers and our equipment and train people to look for the things that result from software that continues to have the vulnerability.”

With the new list of 25 errors, programmers now have a common set of weaknesses to direct their attention to; colleges can benchmark their curricula against the list to make sure they are hitting key topics; and, at the operation stage, software-testing tools can be implemented to ensure applications are error-free.

Security education experts at (ISC)2 had already begun addressing this issue when this new list came out. In fact, a new credential, CSSLP (Certified Secure Software Lifecycle Professional), was announced back in September, and the first exam will be administered at the end of June.

The CSSLP was designed holistically, Tipton said.

“It’s not enough just to know what the issues are and what the top 25 [errors] are — although that definitely is a start. What’s more critical than simply identifying the vulnerabilities is knowing where they come into play in the life cycle of an application,” he said. “[The errors] don’t just occur when you’re sitting in your office writing your code and compiling it and doing the testing of it. The issues are more profound when you missed them on the front end or [when they] get hard coded. The issue continues to be people.”

The CSSLP attempts to solve this issue by providing education to all the professionals who are involved with an application across its life cycle: analysts, developers, software engineers and project managers.

While the CSSLP is one way to ensure professionals have the knowledge and skills to protect applications from vulnerabilities, members of the security community still have their work cut out for them. They must continue to collaborate in establishing training and education opportunities to fight security weaknesses.

“I think we [the community] all have the same purpose here,” Tipton said. “We want to instill knowledge and a sense of awareness and responsibility, not only with people in the field working day-to-day on these type of things, but it really needs to be instilled in academia.”

Software professionals can pursue education in the security space through a number of vehicles. Many resources are available over the Web, including webcasts and RSS feeds.

“This is one of the things that we stress as a strength of our credential: the need to continue to get continuing education,” Tipton said.